Note also that for FreeBSD test user names must be less than 16 characters long or actual log-in will not succeed. This is due to http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/133926 which is still not fixed in FreeBSD 9.1. It is recommended to create a user in Active Directory with a short name so that total name length, including the realm, will not be greater than 16 characters. For example, user@example.com is 16 characters long.

Also set some password for the newly created user so that we can log in using his credentials.

$ ipa passwd tuser

Install required packages

The package installation step differs for every OS or distribution. For nss-pam-ldapd, simply install the packages using yum:

# yum install nss-pam-ldapd pam_ldap authconfig

The authconfig utility will help us configure the PAM stack.

Configure nss-pam-ldapd and pam_ldap

Next the nss-pam-ldapd needs to be configured. The configuration will point to a "compat tree" which is a parallel LDAP tree autogenerated from the main tree and tailored so that it matches the expectations legacy clients might have. The configuration includes two important items:

LDAP URI - The URI is simply the host name of the IPA server prefixed with ldap://. For example, if the hostname was srv.ipa.example.org, then the URI would be ldap://srv.ipa.example.org

LDAP search base - The LDAP search base we need consists of the base DN prefixed with "cn=compat", which is the container the compat tree lives in. To get the base DN, take the IPA domain name and substitute each dot for a "dc=". For example, the IPA domain ipa.example.org would yield base DN dc=ipa,dc=example,dc=org. The full search base you want to use would then be cn=compat,dc=ipa,dc=example,dc=org

Using authconfig

Configuring the system to authenticate with IPA using authconfig is a matter of one shell command once you know the LDAP URI and the search base.

Identity lookups of IPA users and groups

Try to request data about the user that was created on the start of this test:

$ getent passwd tuser
$ getent group tgroup
$ id tuser

The commands above should reflect that tuser is member of tgroup.

Authentication as IPA user

ssh client.example.org -l tuser

Identity lookups of trusted users and groups

When requesting the user from a trusted domain, the username must be fully qualified in the form of username@ad-domain. Additionaly, to conform with nss-pam-ldapd limitation, the username and domain name must be lowercased to match the name in the compat tree with respect to case.

To request a from the trusted domain:

$ getent passwd administrator@ad.example.org

Note also that for FreeBSD test user names must be less than 16 characters long or actual log-in will not succeed. This is due to http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/133926 which is still not fixed in FreeBSD 9.1. It is recommended to create a user in Active Directory with a short name so that total name length, including the realm, will not be greater than 16 characters. For example, user@example.com is 16 characters long.

Authentication as trusted user

Again, the username must be fully qualified and lowercased:

ssh client.example.org -l administrator@ad.example.org

Expected Results

Both users from the IPA domain and the trusted domain should be able to log in.